MuddyWater Wears Chaos Ransomware as a Disguise — Teams Screen-Sharing Funnels Iranian Espionage Through Fake Extortion

Rapid7’s Threat Intelligence team published an investigation this week unmasking what looked like a routine Chaos ransomware-as-a-service hit as something considerably more inconvenient: an Iranian state-sponsored espionage operation that planted ransomware artifacts as a false flag. The activity is being attributed with high confidence to MuddyWater (Mango Sandstorm, Static Kitten, TA450), the cyber unit operated by Iran’s Ministry of Intelligence and Security (MOIS).

What actually happened

The intrusion began not with a phishing email or an exploited edge appliance, but with a Microsoft Teams screen-sharing session. The MuddyWater operator messaged employees of the target organization directly through Teams, walked them through an “IT support” pretext, and used the screen-share to capture credentials and coach the user through approving MFA prompts in real time. Once a foothold was established, the rest of the chain unrolled fast.

The malware chain has two stages, both signed with a code-signing certificate previously tied to MuddyWater operations:

• ms_upd.exe (Stagecomp) — a system-profiling loader that fingerprints the host, beacons out to the C2, and drops the next stage along with a WebView2Loader.dll sideloading artifact and a visualwincomp.txt payload blob.
• game.exe (Darkcomp) — the actual RAT. Polls C2 every 60 seconds for instructions; supports arbitrary shell command execution, script execution, file read/write, and persistent reverse-shell handling.

Persistence was layered: scheduled tasks for the Stagecomp/Darkcomp pair, plus a deployment of DWAgent (a legitimate remote-management tool, abused as a backup access channel that defenders are less likely to alert on than a custom implant).

The “ransomware” was a costume

This is the part worth dwelling on. The operators staged Chaos ransomware components on disk and dropped a ransom note. But forensics showed no file-encryption activity — no encrypted file extensions, no shadow-copy deletion, no encryption keys generated. Where you would expect a finalize-and-extort phase, there’s only continued reconnaissance, credential harvesting, and exfiltration.

The implications are familiar but worth restating. If responders triage this as a Chaos affiliate hit, the incident gets a victim-notification-and-restore playbook: scope encrypted assets, restore backups, decide on payment, close out. The state-sponsored actor walks out with the intellectual property and persistent access intact, while the victim files the case under “ransomware” and the espionage objective is never identified. That is the entire point of a false-flag op — not to hide the intrusion, but to redirect the post-incident investigation.

Why infrastructure teams should care

Two trends converge in this campaign and both are getting worse:

The first is the abuse of collaboration platforms as an initial-access vector. Microsoft Teams external messaging has been a soft target for at least a year — Black Basta, Storm-1811, and now MuddyWater have all routed initial contact through it. If your tenant accepts external chat by default, an attacker with a spoofed-looking display name is one click away from your employees. Default-deny external Teams chat is the only configuration that holds.

The second is the deliberate blurring of nation-state and criminal TTPs. Iranian, North Korean, and Russian operators increasingly borrow the surface aesthetics of ransomware operations to muddy attribution and to give victims plausible reasons not to call in government-aware responders. The cost of getting this wrong is that critical-infrastructure intrusions get logged as commodity incidents.

Detections worth deploying now

• Alert on WebView2Loader.dll sideloaded from non-Edge, non-Office process trees.
• Hunt for any unsigned-or-newly-signed game.exe that beacons on a fixed ~60-second interval.
• Flag external Microsoft Teams chats that initiate screen-share within the first few minutes of the conversation.
• Inventory DWAgent installations; this is the kind of dual-use RMM tool that should be allowlisted to known IT-issued endpoints, not deployable by users.
• Treat any Chaos-branded ransom note that arrives without encrypted files as a high-priority espionage investigation, not a recovery exercise.

References

• Rapid7: Muddying the Tracks — The State-Sponsored Shadow Behind Chaos Ransomware
• The Hacker News: MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
• SecurityWeek: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack
• BleepingComputer: MuddyWater hackers use Chaos ransomware as a decoy in attacks